How To Deny Directory Listing Using .htaccess

Often when you’re using shared hosting, there are some problems with directory listing. Server administrators should avoid this as this represents a security hole. But what to do if you don’t have access to httpd conf and need to prevent directory listing? What to do if you have something like this:

A simple string in .htaccess file will save you. Here it is:

IndexIgnore *

In some cases the following string will also work:

Options -Indexes

One of these two solutions will lead you to showing 403 error to the user that tries to look what files are located in your directory. But let me repeat – this is a security hole and you should notify your system administrator about this issue. This is an emergency solution…

2 thoughts on “How To Deny Directory Listing Using .htaccess”

This is hardly a security issue (unless your site is designed in an insecure way). While it’s not helping security to list the files in a web directory, you shouldn’t have to worry about it unless you have a flawed method of security. Seriously, this is not a security hole by any means and is definitely not an emergency. It’s more of a preference if you want files to be listed or not. I repeat, this is only a security concern if you have lose, web accessible files, that happen to have sensitive information in them that can be viewed by any requester’s web browser — and that would be an awful site design on the user’s part, if so.

Agree with you … and don’t agree. :) For example, check here: http://www.tech-evangelist.com/2008/02/13/protect-directory/ – there are some reasons why doing so is insecure. If you don’t have enough experience in PHP programming or site management, it is better not to leave directory listings. Directory listing itself doesn’t represent a security issue, but only when you’re completely sure everything is OK with the files listed.